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TECHNICAL FIELD 

The present invention relates to methods and systems that authorize the 
5 distribution and/or display of information based on the authorization privileges 
of the user or system requesting the information. 
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BACKGROUND 

Documents and other collections of information are routinely 
downloaded from servers and displayed (or presented) on client computer 
systems. These documents may contain confidential information or other 
information that is only made available to authorized individuals or authorized 
systems. For example, a document may contain confidential salary information 
f that is restricted to viewing by company managers or other individuals that 
m 15 require access to such information. The salary information should not be 
displayed to other individuals. 

Similarly, a particular document may contain information that is 
appropriate for adults, but inappropriate for children. In this situation, children 
should not be permitted to view the information that is inappropriate for them. 
In another example, individuals may be required to pay a fee to view certain 
portions of a document or to view an entire document. In this example, only 
those individuals that have paid the appropriate fee should be permitted to view 
the entire document (i.e., the "free" portions of the document as well as the 
portions for which a fee was paid). 
25 Existing systems typically block access to an entire document if a 

particular individual is not permitted to view a particular portion of the 
document. Thus, if a particular document contains confidential information, 
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such as salary information, that an individual is not permitted to view, the 
individual is prevented from viewing any portion of the document, including 
those portions that do not contain confidential information. In this situation, it 
is not necessary to restrict access to information that is not confidential. If the 
document contains other information that is useful to the individual, they are 
prevented from viewing that information because a small portion of the 
document contains confidential information. 

The invention described herein addresses these problems by allowing a 
portion of a document to be redacted without preventing access to other 
portions of the document. 

SUMMARY 

The systems and methods described herein authorize the distribution of 
documents and/or the display of documents based on the access privileges of 
the requesting user or system. Portions of a particular document may be 
redacted or deleted depending on the access privileges of the user or system. 
Although a portion of the document is redacted, the remainder of the document 
can be viewed by the user of the system. The redacted portion of the document 
may be visually blurred such that the general appearance of the redacted 
portion remains visible, but the details of the redacted portion are not visible. 
Alternatively, the redacted portion of the document is deleted (e.g., by 
replacing the redacted portion with a solid black or solid white image). 

In a particular embodiment, a request for a document is received from a 
source. A determination is made regarding an authorization level associated 
with the source of the request. Another determination is made regarding an 
authorization level required to view the requested document. If the source of 
the request is authorized to receive the requested document, the requested 
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document is transmitted to the source of the request. If the source of the 
request is not authorized to receive the requested document, the unauthorized 
portions of the document are redacted and the redacted version of the requested 
document is transmitted to the source of the request. 

In a described embodiment, the redacting of unauthorized portions of the 
requested document includes deleting the unauthorized portions of the 
requested document. 

In another embodiment, the redacting of unauthorized portions of the 
requested document includes visually blurring the unauthorized portions of the 
requested document. 

BRIEF DESCRIPTION OF THE DRAWINGS 

The present invention is illustrated by way of example and not limitation 
in the figures of the accompanying drawings. The same numbers are used 
throughout the figures to reference like components and/or features. 

Fig. 1 illustrates an exemplary environment in which the methods and 
systems described herein may be implemented. 

Fig. 2 is a block diagram illustrating pertinent portions of an 
authorization system. 

Fig. 3 is a flow diagram illustrating a procedure for distributing 
documents from a server to a client. 

Fig. 4 is a flow diagram illustrating a procedure for receiving and 
displaying a document. 

Fig. 5 is a block diagram of a computer system that can be utilized in 
accordance with one or more embodiments described herein. 
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DETAILED DESCRIPTION 

The systems and methods described herein authorize the distribution and 
display of documents based on the access privileges of a requesting user or 
system. If a user or system is not authorized to view certain portions of a 
document, those portions are redacted prior to communicating or displaying the 
document to the system or user. Thus, different users may be permitted to view 
different portions of the same document, depending on the access privileges of 
each user. In certain situations, the redacted portions of the document may be 
partially visible to encourage the user to pay a fee or otherwise gain permission 
to access the redacted portions. 

Fig. 1 illustrates an exemplary environment 100 in which the methods 
and systems described herein may be implemented. Network environment 100 
includes a server 102, a network 104, and client computers 106 and 108. 
Server 102 contains various documents, application programs, and data, as 
discussed below. Network 104 may be any type of data communication 
network utilizing any network topology and any network communication 
protocol. For example, network 104 may be a local area network (LAN), a 
wide area network (WAN), or the Internet. Additionally, network 104 may be a 
combination of two or more different networks. 

Client computers 106 and 108 are also coupled to network 104. Client 
computers 106 and 108 communicate with server 102 and with one another via 
network 104. Although client computer 106 is illustrated as a laptop computer 
and client computer 108 is illustrated as a desktop computer, client computers 
106 and 108 can be any type of computing device, including a palmtop 
computer, a personal digital assistant (PDA), a cellular phone, a set top box, or 
other device. Although a single server 102 and two client computers 106 and 
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108 are shown in Fig. 1, a particular environment may include any number of 
servers and any number of client computers coupled to one another. 

As shown in Fig. 1, server 102 contains a communication module 110, 
an document control module 112, and information display policies 114. 
Communication module 110 provides a mechanism for server 102 to 
communicate with other computing devices coupled to the network (e.g., client 
computers 106 and 108). Document control module 112 handles the 
distribution of documents from server 102 to other computing devices via 
network 104. For example, document control module 112 may access various 
information display policies 114 to determine which portions of a particular 
document may be distributed to a requesting client computer. 

Server 102 also contains multiple documents (Document 1, Document 2, 
... Document N) identified by reference numbers 116, 118, and 120, 
respectively. A particular server 102 may contain any number of documents. 
These documents may contain text, images, tables, charts, and any other type of 
data or graphical image. As used herein, a "document" refers to any collection 
of alphanumeric characters, images, or data. For example, a report containing 
text, pictures, and tables is a document. Similarly, a photograph is a document. 
A document may also be one or more web pages. A particular document may 
contain one or more audio files that contain music, sound effects, verbal 
instructions, or other audio content. These audio files may be "redacted" by, 
for example, preventing playback of the audio file or distorting the audio file 
such that the associated audio content is unclear or unintelligible. 

Client computer 108 contains a communication module 130, 
information display policies 132, an authorization module 134, and a rendering 
module 136. Communication module 130 allows client computer 108 to 
communicate with other computing devices coupled to network 104. 
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Information display policies 132 define the types of information that can be 
displayed (or otherwise presented) to various users of client computer 108. 
Authorization module 134 determines whether a particular user of client 
computer 108 is authorized to view a particular document (i.e., view the 
complete document or a portion of the document). This determination is made 
by applying information display policies 132 to the information contained in 
the document. Rendering module 136 generates a version of a document in 
which the portions that the user is not authorized to view have been redacted. 
Although not shown in Fig. 1, client computer 106 may contain modules and 
policies similar to those discussed above with respect to client computer 108. 

Fig. 2 is a block diagram illustrating pertinent portions of an 
authorization system. The authorization system shown in Fig. 2 may be 
implemented in a server or a client computing device. Authorization module 
134 includes authorization policies 202, which are used to determine whether a 
particular individual is authorized to view particular types of information that 
may be contained in a document. For example, the authorization policies 202 
may define multiple levels of authorization. Each level of authorization 
provides access to certain types of information that may be contained in a 
document. Authorization module 134 also receives a user ID (or computer 
system ID), and a password to authenticate the user ID and determine 
information that the user is permitted to access. 

Authorization module 134 determines the appropriate authorization 
results (such as an authorization level) associated with the user ID. These 
authorization results are provided to rendering module 136, which also receives 
one or more documents to which the authorization results are applied. The 
documents provided to rendering module 136 are typically in an electronic 
format (e.g., web pages, word processing documents, images, or audio files). 
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Rendering module 136 applies the authorization results to the received 
documents and generates a rendered document, which may contain one or more 
redacted portions, depending on the authorization results and the document 
contents. One or more portions of a document can be redacted by deleting the 
information or making the entire portion a solid color, such as black or white, 
thereby hiding the content of the document portion. Alternatively, a portion of 
a document can be visually blurred such that the information is not intelligible 
to the viewer. As mentioned above, audio files may be deleted or distorted to 
prevent clear playback of the audio content. 

Various procedures are available for blurring portions of a document. 
For example, a pixel averaging technique can be used to blur an image or other 
portion of a document. Using this technique, each pixel value is calculated (or 
recalculated) by averaging the original value of the pixel with the values of the 
eight surrounding pixels. Alternatively, the pixel value may be determined by 
averaging any number of surrounding pixels, depending on the amount of 
blurring desired. 

In a particular embodiment, a portion of a document may be slightly 
blurred, such that the viewer can see the general content of the redacted 
portion, but cannot see the details. This approach may be used, for example, to 
encourage a viewer to purchase a complete (i.e., unredacted) version of the 
document. This embodiment is particularly useful when the redacted portion of 
the document is an image. If the viewer is interested in the content of the 
slightly blurred version of the image, the viewer may be encouraged to 
purchase a clear (non-blurred) version of the image. 

Table 1 below illustrates an example of multiple levels of authorization 
and the access privileges associated with each of the multiple levels. Table 1 
represents one example of authorization policies 202. 
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TABLE 1 



Authorization 
Level 


Access Privileges 


Public 


Public Information 


Low 


Public Information and 
Employee Addresses 


Medium 


Public Information, 
Employee Addresses, and 
Employee Salary Information 


High 


Public Information, 
Employee Addresses, 
Employee Salary Info, and 
Employee Evaluations 



Table 1 illustrates four different authorization levels: Public, Low, Medium, 
and High. An individual having a Public Authorization Level can access public 
information contained in a document (i.e., non-confidential information). An 
individual having a Low Authorization Level can access public information in 
the document as well as employee addresses. An individual having a Medium 
Authorization Level can access public information, employee addresses, and 
employee salary information contained in the document. An individual with a 
High Authorization Level can access all information accessed by the Medium 
Authorization Level as well as employee evaluation information. Thus, a 
single document can be used by individuals at all four authorization levels 
instead of providing a separate version of the document for each of the four 
levels. 

A particular document may not contain all of the information discussed 
above. For example, a particular document may contain public information 
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and a portion of an employee evaluation. In this example, the Public, Low, and 
Medium Authorization Levels can access the public information. Individuals 
with a High Authorization Level can access both the public information and the 
employee evaluation information in the document. 

Table 1 illustrates one technique for determining access privileges for 
different individuals. Various other techniques may also be used to define one 
or more authorization policies. 

In another implementation, the document is a parts catalog that contains 
part descriptions as well as retail pricing and wholesale pricing of the described 
. 10 parts. In this implementation, everyone accessing the document is permitted to 
view the part descriptions and the retail pricing. However, the wholesale 
pricing information is redacted for those users (or systems) that are not able to 
purchase parts at wholesale prices. Only those users or systems that are 
permitted to purchase parts at wholesale prices are permitted to view the 
m 15 wholesale pricing information. This implementation allows a single document 

JS| to support both retail and wholesale customers, instead of creating and 

p 

maintaining a separate document for each set of customers. 

The manner in which an image or other portion of a document is to be 
redacted may be contained in the image or document itself. For example, a 

20 particular image storage format may allocate 24 bits of data for each pixel, 
which leaves eight unused bits in a 32 bit system. These additional eight bits 
can be used to define a redacted version of the pixel (e.g., black, white, or 
blurred using a pixel averaging technique). In one implementation, the 
collection of eight bits represent a mask image that is applied to the original 

25 image to redact the original image. In another implementation, the collection 
of eight bits represent a second image that replaces the original image if the 
original image is redacted. 
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Redacting of portions of a document as described herein may be applied 
to a fixed document or a still image as well as a changing video image or a 
changing document (such as a changing web page, full-motion video or other 
dynamic document). For example, in the case of a changing image, the 
5 additional eight bits may change to identify different portions of the image to 
be redacted or to identify different techniques for redacting the image as the 
image changes. The location, size, and shape of the redacted region may 
change as the document changes. Thus, the additional bits of data may also 
define the particular region (or regions) of the document to redact at a 
M 10 particular time. 

pjj Fig. 3 is a flow diagram illustrating a procedure 300 for distributing 

[m documents from a server to a client. Initially, a server receives a request for a 

particular document (block 302). The procedure then identifies the source of 

i 

B the request (block 304). The source of the request may be identified as an 

ftj 15 individual user or identified as a computer system (e.g., a client computer 
gri system). The source of the request may identify itself in the request using a 

M user ID or a computer ID. The procedure then determines an authorization 

level associated with the source of the request (block 306). This determination 
may be performed, for example, by an authorization module, such as 
20 authorization module 134. 

The procedure 300 then determines what authorization level is required 
to view the requested document (block 308). As discussed above, different 
portions of a document may require different authorization levels to view the 
document portions. Next, the server determines whether the source of the 
25 request is authorized to receive a complete (i.e., unredacted) version of the 
requested document (block 310). If the source of the request is authorized to 
receive a complete version of the requested document, the server transmits the 
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complete version of the requested document to the source of the request (block 
314). If the source of the request is not authorized to receive a complete 
version of the requested document, the server redacts the unauthorized portions 
of the document (block 316) and transmits the redacted version of the 
document to the source of the request (block 318). 

Fig. 4 is a flow diagram illustrating a procedure 400 for receiving and 
displaying a document. Initially, a computer receives a document from a 
source (block 402), such as a server. Depending on the authorization level of 
the user or computer system that received the document, portions of the 
received document may have been redacted by the source of the document. 
The procedure then determines an authorization level required to view the 
received document (block 404). This determination may be based on the 
confidentiality of the information, such as confidential corporate or employee 
information. Alternatively, the determination may be based on the maturity 
level required to view the content of the document. For example, portions of 
the document may contain images or other information that is appropriate for 
adults, but inappropriate for children. As discussed above, different portions of 
a document may require different authorization levels to view the document 
portion. 

The procedure 400 then determines an authorization level associated 
with a current user of the computer (block 406). The current user of the 
computer may be identified, for example, by requiring the user to login using a 
user ID and password. The computer then determines whether the current user 
of the computer is authorized to view a complete (i.e., unredacted) version of 
the received document (block 408). If the current user of the computer is 
authorized to view the complete version of the received document, the 
complete version of the document is displayed on the computer (block 412). If 
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the current user of the computer is not authorized to view the complete version 
of the received document, the procedure redacts the unauthorized portions of 
the document (block 414) and displays the redacted version of the document on 
the computer (block 416). 

Fig. 5 is a block diagram of a computer system 500 that can be utilized 
in accordance with one or more embodiments described herein. Computer 
system 500 can be, for example, a server such as server 102 and/or a client 
computer such as client computers 106 or 108 of Fig. 1. Computer system 500 
represents a wide variety of computing devices, such as desktop computers, 
portable computers, dedicated server computers, multi-processor computing 
devices, cellular telephones, PDAs, handheld or pen-based computers, 
microcontroller-based electronic devices, gaming consoles, and so forth. 

Computer system 500 includes one or more processors 502, memory 
504, a mass storage device 506, and an input/output (I/O) interface 508, all 
coupled to a bus 510. Bus 510 represents one or more buses in computer 
system 500, such as a system bus, processor bus, accelerated graphics port 
(AGP), peripheral component interconnect (PCI), and so forth. The bus 
architecture can vary by computing device as well as by manufacturer. I/O 
interface 508 is a conventional interface allowing components of computer 
system 500 (e.g., processor(s) 502) to communicate with other computing 
devices, such as via network 104 of Fig. 1. I/O interface 508 may be, for 
example, a modem, a network interface card (NIC), and so forth. 

Memory 504 represents volatile and/or nonvolatile memory used to store 
instructions and data for use by processor 502. Typically, instructions are 
stored on mass storage device 506 (or nonvolatile memory) and loaded into a 
volatile memory 504 for execution by processor(s) 502. Additional memory 
components may also be involved, such as cache memories internal or external 
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to processor 502. Various embodiments can be implemented, at different times, 
in any of a variety of computer readable media that is part of, or readable by, 
computer system 500. For example, such computer readable media may be 
mass storage device 506, memory 504 or a cache memory, a removable disk 
(not shown) that is accessible by processor 502, or another controller of 
computer system 500 (such as a magnetic disk or optical disk), and so forth. 

Computer system 500 is exemplary only. It is to be appreciated that 
additional components (not shown) can be included in computer system 500 
and some components illustrated in computer system 500 need not be included. 
For example, a display adapter, additional processors or storage devices, 
additional I/O interfaces, and so forth may be included in computer system 500, 
or mass storage device 506 may not be included. 

The discussions herein refer to software components and modules that 
can be executed by a computing device. It is to be appreciated, however, that 
the components and processes described herein can be implemented in 
software, firmware, hardware, or a combination thereof. By way of example, a 
programmable logic device (PLD) or an application specific integrated circuit 
(ASIC) could be configured or designed to implement various components 
and/or processes discussed herein. 

Although the invention has been described in language specific to 
structural features and/or methodological steps, it is to be understood that the 
invention defined in the appended claims is not necessarily limited to the 
specific features or steps described. Rather, the specific features and steps are 
disclosed as preferred forms of implementing the claimed invention. 
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